1. Field of the Invention
The present invention relates generally to information processing and, more particularly, to systems and methods for regulating access and maintaining security of individual computer systems connected to local area networks (LANs) or larger open networks (Wide Area Networks or WANs), including the Internet.
2. Description of the Background Art
The first computers were largely stand-alone units with no direct connection to other computers or computer networks. Data exchanges between computers were mainly accomplished by exchanging magnetic or optical media such as floppy disks. Over time, more and more computers were connected to each other using Local Area Networks or “LANs”. In both cases, maintaining security and controlling what information a computer user could access was relatively simple because the overall computing environment was limited and clearly defined.
In traditional computing networks, a desktop computer largely remained in a fixed location and was physically connected to a single local network via Ethernet. More recently, however, an increasingly large number of business and individual users are using portable computing devices, such as laptop computers, that are moved frequently and that connect into more than one network. For example, many users now have laptop computers that are plugged into a corporate network during the day and are plugged into a home network during the evening. The number of mobile computing devices, and the networks that they connect to, has increased dramatically in recent years. Computing devices can be connected to networks at home, at work, and in numerous other locations.
In addition, various different types of connections may be utilized to connect to these different networks. A dial-up modem may be used for remote access to an office network. Various types of wireless connectivity, including IEEE (Institute of Electrical and Electronics Engineers) 802.11 and Bluetooth, are also increasingly popular. Wireless networks often have a large number of different users that are occasionally connected from time to time. Moreover, connection to these networks is often very easy, as connection does not require a physical link. For example, a user can install an 802.11 wireless transceiver on the roof of his or her home to share an Internet connection with his or her neighbors. As another example, a user can be temporarily connected to a wireless network while commuting by an office building in which the network's wireless transceiver is located. Many users also connect to an increasingly large public network infrastructure. Wireless and other types of networks are frequently provided in cafes, airports, convention centers, and other public locations to enable mobile computer users to connect to the Internet. Thus, it is becoming easier for users to connect to a number of different networks from time to time through a number of different means.
In addition, a greater number of different types of mobile devices are connecting to these networks, including laptop computers, personal digital assistants (PDAs), cell phones, and various other computing devices. These mobile devices typically move frequently from location to location and connect to different networks at different times.
One of the implications of this increasing number of mobile devices occasionally connected to different networks is that traditional corporate firewall technologies are no longer effective to protect information on a mobile device. Traditional firewall products guard a boundary (or gateway) between a local network, such as a corporate network, and a larger network, such as the Internet. These products primarily regulate traffic between physical networks by establishing and enforcing rules that regulate access based upon the type of access request, the source requesting access, the connection port to be accessed, and other factors. For example, a firewall may permit access to a particular computer on port 80, but deny remote access to other computers on the network. A firewall may also permit access from a specific IP address or range (or zone) of IP addresses, but deny access from other addresses. Different security rules may be defined for different zones of addresses.
However, mobile devices that are moving from network to network are not always connected to the same physical network. The corporate firewall provides protection when the mobile device is connected to that particular corporate network, but provides no protection when the device is connected to other networks. Traditional firewall technology guarding a network boundary does not protect against traffic that does not traverse that boundary. It does not regulate traffic between two devices within the network or two devices outside the network. In addition, a mobile user often has little knowledge or control over the security systems in place on the various networks to which he or she may be connected from time to time.
One security measure that can be implemented by a mobile user is to install a personal firewall (or end point security) product on his or her mobile device to control traffic into and out of this mobile device irrespective of the network to which he or she may be connected. A personal firewall product can regulate all traffic into and out of a particular computer or device. However, in this mobile environment it is very desirable for a user to be able to distinguish between the various networks and devices to which he or she is connecting. For example, if a user is at home, he or she most likely wants to allow very open communication with other home computers and devices. On the other hand, if the user is staying in a hotel, he or she would typically prefer much more limited communication with other computers and devices in the hotel.
In the highly mobile environment described above, a significant problem is that many local networks have the same IP addresses. IP addresses on the Internet are unique, but certain address ranges are reserved for local use and not available on the Internet (e.g., 10.10.x.x, 192.168.x.x, 172.x.x.x., etc.). Many local networks show a single address (for example, their gateway server's address) to those outside the network even though there are multiple machines on the local network. A network address translation (or NAT) mechanism routes communications from outside the network to the appropriate local machine. Within a local network, IP addresses are often dynamically assigned within particular ranges by a Dynamic Host Configuration Protocol (or DHCP) server. NAT and DHCP devices used on different networks frequently use addresses within the same range (i.e., a DHCP server on network A and a DHCP server on network B will often issue the same IP address to a machine on their own network). As a result, the IP addresses of machines and devices on local networks are not unique and, in fact, are frequently duplicated on other networks.
As an illustration of this problem, assume a woman named Alice owns a laptop computer LC1, which was supplied to her by her employer. At home, Alice normally plugs the laptop into her home network N1, which is served by her home-based NAT-enabled router R1. This Ethernet network connects R1, LC1, and the other computers in her home (PC1 and PC2) together into one network. Because R1 is also a DHCP server configured with a network address of 192.168.1.0/8 (or 192.168.1.0/255.255.255.0), the DHCP server assigns LC1, PC1, and PC2 distinct IP addresses in the subnet 192.168.1.0/8 as follows:                R1: IP address=192.168.1.1        LC1: IP address=192.168.1.100; subnet mask=255,255.255.0; gateway=192.168.1.1        PC1: IP address=192.168.1.101; subnet mask=255.255.255.0; gateway=192.168.1.1        PC2: IP address=192.168.1.102; subnet mask=255.255.255.0; gateway=192.168.1.1Alice configures her personal firewalls on LC1, PC1, and PC2 to include the subnet 192.168.1.0/8, and configures each computer's firewall rules to permit file-sharing service traffic (port 139, in Windows 98) among the computers on the local network. This allows Alice to share files between her computers, while preventing access to her files from outside the network.        
When Alice takes her laptop to her office, she plugs it into a corporate network, N2, which also operates a NAT/DHCP/router R2. Although it was configured by the company's network administrator (not Alice), R2 is configured identically to Alice's home network (i.e., it provides DHCP addresses on the 192.168.1.0/8 network). Bob, Alice's coworker, uses another computer, PC3, which is plugged into the same Ethernet network N2.                R2: IP address=192.168.1.1        LC1: IP address=192.168.1.105; subnet mask=255.255.255.0; gateway=192.168.1.1        PC2: IP address=192.168.1.101; subnet mask=255.255.255.0; gateway=192.168.1.1Although Alice's laptop LC1 is plugged into a different physical network N2 containing different computers (R2, PC3), her personal firewall treats these computers as if they were attached to her home network N1 because they have the same IP addresses. This means that, as far as the firewall is concerned, Bob's computer should be able to share Alice's files. In this case, Alice may wish to permit Bob access to files on her laptop LC1, because she knows it is a company computer and contains company data.        
On a business trip Alice stays in a hotel that provides in-room Internet networking. The hotel's Ethernet network N3 uses a router R3 that is configured identically to Alice's home network N1 and the corporate network N2, so when Alice plugs her laptop LC1 into the hotel's network N3, she is assigned an identical subnet mask. Staying in the same hotel is Craig, who works for a rival company. Craig also has a laptop computer LC2, which he can plug into the hotel network and obtain an IP address from the network.                R3: IP address=192.168.1.1        LC1: IP address=192.168.1.109; subnet mask=255.255.255.0; gateway=192.168.1.1        LC2: IP address=192.168.1.120; subnet mask=255.255.255.0; gateway=192.168.1.1Because the network is configured identically, Alice's personal firewall will permit access from anywhere in the hotel to her computer's file sharing services. This will permit Craig to read confidential company data from Alice's laptop computer LC1.        
As illustrated above, mobile machines connecting to various different addresses cannot rely solely on IP addresses and subnet masks to identify a network or the machines and devices residing on the network. A mobile computer user clearly needs a way to permit reconfiguration of the personal firewall as his or her laptop is plugged into each network. However, the user may lack the technical skills to reconfigure the personal firewall, or may simply forget that the firewall needs to be reconfigured each time the laptop is connected to a different network.
One approach to handle this problem is to include or exclude a network from the trusted zone based on the physical adapter being used to connect to the network. Each network interface adapter attached to the network could be included or excluded from the trusted zone. This is perhaps a viable alternative in the case of desktop computers that are typically connected to the same network every day, but is not an effective alternative in the case of mobile computers as it requires the mobile computer user to use a different network adapter card in order to distinguish between networks. This is an excessive burden on mobile computer users.
As the above example illustrates, many networks that a mobile computer can encounter may have the same basic IP network settings. Mobile computers configured with a static trusted zone IP address configuration cannot distinguish between these networks. This may significantly compromise security as a computer is moved from network to network. In order to protect the security of the information on his or her mobile computing device in this environment, the user must either (1) configure an overly restrictive trusted zone (i.e., not trust anyone and prohibit sharing of information with other computers), or (2) reconfigure the firewall each time the computer is connected to a different network. The first option devalues the ability to have a trusted zone of computers that can share information. The second option requires the user to remember to reconfigure the firewall each time he or she connects to a different network and may also require more technical skill than many end-users possess.
Given the increasing number of mobile devices connecting to different networks, there is much interest in a mechanism to reliably identify networks and specify whether or not the network should be included or excluded from the trusted zone.